[
{
"path": "CONTRIBUTING.md",
"content": "# Contribution Guidelines\n\n1. Read and adhere to the [Code-of-Conduct](./code-of-conduct.md)\n2. Make sure you put things in the right category!\n3. Always add your items to the end of a list. To be fair, the order is first-come-first-serve.\n4. If you think something belongs in the wrong category, or think there needs to be a new category, feel free to edit things too.\n\nPlease ensure your pull request adheres to the following guidelines:\n\n- Search previous suggestions before making a new one, as yours may be a duplicate.\n- Suggested READMEs should be beautiful or stand out in some way.\n- Make an individual pull request for each suggestion.\n- New categories, or improvements to the existing categorization are welcome.\n- Keep descriptions short and simple, but descriptive.\n- Start the description with a capital and end with a full stop/period.\n- Check your spelling and grammar.\n- Make sure your text editor is set to remove trailing whitespace.\n\nThank you for your suggestions!\n"
},
{
"path": "README.md",
"content": "
\n\n\nA curated list of awesome .NET Security related resources.\n\n[](https://awesome.re)\n\n_List inspired by the [awesome](https://github.com/sindresorhus/awesome) list thing._\n\nSupported by: [GuardRails.io](https://www.guardrails.io)\n\n
\n
\n\n# Contents\n- [Tools](#tools)\n- [Educational](#educational)\n- [Companies](#companies)\n- [Other](#other)\n\n# Tools\n\n## Libraries\n\n- [.NET Core Security Headers](https://github.com/juunas11/aspnetcore-security-headers) - Middleware for adding security headers to an ASP.NET Core application.\n- [NetEscapades.AspNetCore.SecurityHeaders](https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders) - Small package to allow adding security headers to ASP.NET Core websites.\n- [HtmlSanitizer](https://github.com/mganss/HtmlSanitizer) - Cleans HTML to avoid XSS attacks.\n- [JWT .NET](https://github.com/jwt-dotnet/jwt) - Jwt.Net, a JWT (JSON Web Token) implementation for .NET.\n- [NWebsec](https://github.com/NWebsec/NWebsec) - Security libraries for ASP.NET.\n- [AspNetSaml](https://github.com/jitbit/AspNetSaml) - SAML client library, allows adding SAML single-sign-on to your ASP.NET app.\n- [AspNetCoreRateLimit](https://github.com/stefanprodan/AspNetCoreRateLimit) - Package that will let you set rate limits for your .NET Core Api.\n\n## Static Code Analysis\n\n- [GuardRails](https://www.guardrails.io) - Continuous verification platform that integrates tightly with leading version control systems.\n- [Security Code Scan](https://github.com/security-code-scan/security-code-scan) - Vulnerability Patterns Detector for C# and VB.NET.\n- [Puma Scan](https://github.com/pumasecurity/puma-scan) - Puma Scan is a .NET software secure code analysis tool providing real time, continuous source code analysis.\n- [DevSkim](https://github.com/Microsoft/DevSkim) - DevSkim is a set of IDE plugins and rules that provide security \"linting\" capabilities.\n- [SonarQube](https://github.com/SonarSource/sonar-dotnet) - SonarC# and SonarVB are static code analyser for C# and VB.NET languages used as an extension for the SonarQube and SonarCloud platforms. It will allow you to produce stable and easily supported code by helping you to find and to correct bugs, vulnerabilities and smells in your code.\n\n## Vulnerabilities and Security Advisories\n\n- [RetireNET](https://github.com/RetireNet/dotnet-retire) - CLI extension to check your project for known vulnerabilities.\n- [OWASP Dependency Check](https://github.com/jeremylong/DependencyCheck) - Detects publicly disclosed vulnerabilities in application dependencies.\n - [NuGet tool package](https://www.nuget.org/packages/DependencyCheck.Runner.Tool/) - Nuget tool package for OWASP Dependency Check\n- [Audit.NET](https://github.com/OSSIndex/audit.net) - Identify known vulnerabilities in .net NuGet dependencies.\n- [Snyk](https://github.com/snyk/snyk) - CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies.\n- [.NET Security Announcements](https://github.com/dotnet/announcements/issues?q=is%3Aopen+is%3Aissue+label%3ASecurity) - Watch this repo to receive security announcements in .NET Core\n- [Snyk Vulnerability DB](https://snyk.io/vuln?type=nuget) - Commercial but free listing of known vulnerabilities in NuGet libraries.\n- [Common Vulnerabilities and Exposures](https://www.cvedetails.com/product/42998/Microsoft-Asp.net-Core.html?vendor_id=26) - Vulnerabilities in .NET Core that were assigned a CVE.\n- [National Vulnerability Database](https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=ASP.NET&queryType=phrase&search_type=all) - .NET related known vulnerabilities in the National Vulnerability Database.\n\n# Educational\n\n## Hacking Playgrounds\n\n- [WebGoat.NET](https://github.com/jerryhoff/WebGoat.NET) - OWASP WebGoat.NET\n- [Damn Vulnerable Thick Client App](https://github.com/secvulture/dvta) - DVTA is a Vulnerable Thick Client Application developed in C# .NET\n- [ASP.NET Vulnerable Site](http://aspnet.testsparker.com) - Online .NET application that can be used to practice hacking.\n- [The Most Vulnerable .NET App](https://github.com/AlexGoOn/the-most-vulnerable-dotnet-app) - A GitHub repository featuring an application with over 50 interactive security vulnerabilities.\n\n## Articles, Guides & Talks\n\n- [Anti-Request Forgery](https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.2) - Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks.\n- [Prevent Cross-Site Scripting](https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-2.2) - Prevent Cross-Site Scripting (XSS).\n- [Protect Secrets in Development](https://docs.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-2.2) - Safe storage of app secrets in development\n- [.NET Security Cheat Sheet](https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet) - Quick, basic .NET security tips for developers.\n- [Hardening the security of your ASP.NET core apps](https://geeklearning.io/hardening-the-security-of-your-asp-net-core-apps/) - Lessons learned after a third-party penetration test.\n- [Secure Coding Guidelines](https://docs.microsoft.com/en-us/dotnet/standard/security/secure-coding-guidelines) - Microsoft's take on secure coding guidelines.\n- [Security Headers](https://andrewlock.net/adding-default-security-headers-in-asp-net-core/) - Adding Default Security Headers in .NET Core.\n- [The ASP.NET Core security headers guide](https://blog.elmah.io/the-asp-net-core-security-headers-guide/) - Another take on adding security headers in ASP.NET Core.\n- [Security Best Practices for ASP.NET MVC](https://jamilhallal.blogspot.com/2021/08/building-secure-aspnet-mvc-web.html) - Building Secure ASP.NET MVC Web Applications.\n\n# Other\n\n## Reporting Bugs\n\n- [Report a Security Issue](https://www.microsoft.com/en-us/msrc/faqs-report-an-issue)\n\n## Contributing\n\nFound an awesome project, package, article, or another type of resources related to .NET Security? Submit a pull request!\nJust follow the [guidelines](/CONTRIBUTING.md). Thank you!\n\n## License\n\n[](http://creativecommons.org/publicdomain/zero/1.0/)\n"
},
{
"path": "code-of-conduct.md",
"content": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nIn the interest of fostering an open and welcoming environment, we as\ncontributors and maintainers pledge to making participation in our project and\nour community a harassment-free experience for everyone, regardless of age, body\nsize, disability, ethnicity, sex characteristics, gender identity and expression,\nlevel of experience, education, socio-economic status, nationality, personal\nappearance, race, religion, or sexual identity and orientation.\n\n## Our Standards\n\nExamples of behavior that contributes to creating a positive environment\ninclude:\n\n* Using welcoming and inclusive language\n* Being respectful of differing viewpoints and experiences\n* Gracefully accepting constructive criticism\n* Focusing on what is best for the community\n* Showing empathy towards other community members\n\nExamples of unacceptable behavior by participants include:\n\n* The use of sexualized language or imagery and unwelcome sexual attention or\n advances\n* Trolling, insulting/derogatory comments, and personal or political attacks\n* Public or private harassment\n* Publishing others' private information, such as a physical or electronic\n address, without explicit permission\n* Other conduct which could reasonably be considered inappropriate in a\n professional setting\n\n## Our Responsibilities\n\nProject maintainers are responsible for clarifying the standards of acceptable\nbehavior and are expected to take appropriate and fair corrective action in\nresponse to any instances of unacceptable behavior.\n\nProject maintainers have the right and responsibility to remove, edit, or\nreject comments, commits, code, wiki edits, issues, and other contributions\nthat are not aligned to this Code of Conduct, or to ban temporarily or\npermanently any contributor for other behaviors that they deem inappropriate,\nthreatening, offensive, or harmful.\n\n## Scope\n\nThis Code of Conduct applies both within project spaces and in public spaces\nwhen an individual is representing the project or its community. Examples of\nrepresenting a project or community include using an official project e-mail\naddress, posting via an official social media account, or acting as an appointed\nrepresentative at an online or offline event. Representation of a project may be\nfurther defined and clarified by project maintainers.\n\n## Enforcement\n\nInstances of abusive, harassing, or otherwise unacceptable behavior may be\nreported by contacting the project team at [support@guardrails.io](mailto:support@guardrails.io). All\ncomplaints will be reviewed and investigated and will result in a response that\nis deemed necessary and appropriate to the circumstances. The project team is\nobligated to maintain confidentiality with regard to the reporter of an incident.\nFurther details of specific enforcement policies may be posted separately.\n\nProject maintainers who do not follow or enforce the Code of Conduct in good\nfaith may face temporary or permanent repercussions as determined by other\nmembers of the project's leadership.\n\n## Attribution\n\nThis Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,\navailable at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html\n\n[homepage]: https://www.contributor-covenant.org\n\nFor answers to common questions about this code of conduct, see\nhttps://www.contributor-covenant.org/faq\n"
}
]